What is Multi-Factor Authentication (MFA), and Why Do I Need It?

If you have used a computer or smartphone, especially in an office setting, you’ve encountered some form of multi-factor authentication. This security mechanism adds a layer of protection to the login process and it is growing in popular use, but is there a good reason for all of the fuss?

Let’s start by defining multi-factor authentication (MFA).

Multi-factor authentication (MFA) is a security procedure that requires more than one method of independent verification to prove the user's identity for a login or other transaction.

The user must login with a combination of information from these categories:

Something You Know—A password or a security question.

Something You Are—Biometrics, like a fingerprint or retinal scan.

Something You Have—A passcode from a smartphone app or dongle or a phone call.

So, now that we are working with a common definition...

Why does multi-factor authentication matter?

To get at the answer, let’s consider a couple of stats.

There are more than 1.9 billion stolen passwords and usernames available on the black market (Google).

73% of users use the same password for multiple application account (Microsoft).

81% of security incidents are caused by credential theft (Verizon).

So, in theory, if every stolen password is a unique user, a malicious actor could infiltrate billions of additional accounts outside of the account the stolen credentials were originally taken from. The sheer magnitude of this vulnerability is astounding and continues to grow exponentially. Utilizing a single form of authentication is no longer sufficient or secure, hence the major push towards multi-factor authentication to prevent cyber criminals from attempting to hack into accounts.

It is imperative that companies implement multi-factor authentication across the board in order to protect employee accounts, but even more so to protect the entire organization. Multi-factor authentication reduces the risk of unauthorized users gaining access to your network and/or data by requiring users to provide additional verification information beyond just a password to access the network. But beware, not all multi-factor authentication applications are equally secure. The National Institute of Standards & Technology (NIST) no longer recommends SMS text messages as a secure multi-factor solution because there are simple malicious applications that can steal the one-time passcodes. That being said, SMS is still better than just a password.

The path to enterprise implementation of multi-factor authentication is not one without challenges, but it will be worth its weight in gold when it saves your company the financial, legal, and reputational damage that can result from a cyber attack.